Penetration testing is an IT security process where a skilled human resource simulates an authorized attack on a system with its primary goal being to identify any vulnerabilities. In recent years, as the online economy transformed both business and society, the need for this type of service has emerged as a requirement for organizations of all sizes. A penetration test takes a holistic look at your organization’s security through the eyes of an attacker. The process forms part of a security risk assessment, which includes activities such as identifying vulnerabilities in your IT environment, web application testing, and assessing the state of your staff’s security awareness with simulated social engineering attacks.
Modern organizations are entirely dependent on technology to operate effectively, and the information they produce and store on their IT infrastructure has grown into a business asset which holds intrinsic value. The digital age has spawned a new type of criminal, one which is intent on breaking into systems and stealing data. Penetration testing was created to simulate this criminal activity and help businesses find any weaknesses and implement remedies before a hacker could exploit them. However, is penetration testing an essential practice for every organization and what are the benefits and drawbacks of undertaking such an exercise?
No organization is immune from a cyber attack. Even though big names make the news when they are the victims of a hack, small businesses are the most common victims of data breaches according to the Verizon 2018 Data Breach Investigations Report. Consequently, penetration testing is no longer a recommendation, but a necessity for every organization which operates online, and in some instances, is a condition to achieve compliance.
The Payment Card Industry Data Security Standard (PCI-DSS) mandates under requirement 11.3 that organizations which store and process card payments must regularly perform penetration tests to identify possible security issues. Other regulatory frameworks, such as the European Union’s General Data Protection Regulation (GDPR), do not explicitly state that penetration tests are mandatory. They do however require organizations to assess their applications and critical infrastructure for security vulnerabilities regularly. As such, every business which needs to meet specific compliance requirements must include penetration testing as part of their IT security framework.
There are many advantages which organizations derive from conducting regular penetration tests on their IT environment. The most significant benefit is that it introduces a proactive human element into an organization’s cybersecurity structure. By immersing themselves into an attacker’s mindset, penetration testers gain a unique perspective on an organization’s existing IT defenses. This point of view places them in an exceptional position to identify potential vulnerabilities specific to the organization which automated vulnerability scans often miss.
Every organization is unique, and penetration testers take this into account when conducting their assessment. Although modern vulnerability scanners can detect a myriad of vulnerabilities in known systems, these generic solutions often miss potential issues which are business specific. A skilled penetration tester may use automated tools but will supplement these with real-world skill and experience ensuring a holistic approach. By tailoring their assessment to meet the unique needs of each organization, the tester can uncover issues which are specific to the organization under review.
Modern automated vulnerability scanners often detect a myriad of low-risk vulnerabilities in any IT infrastructure. In isolation, these risks may seem negligible and pose no real threat to the business. However, the combination of a few of these identified weaknesses could well represent a significant risk if an attacker exploits them in a particular sequence. Automated vulnerability scans lack the intelligence to make these connections. However, a skilled penetration tester can identify this deficiency as their talent and experience give them the human ability to connect the dots.
The final stage in any professional penetration test is the submission of a report with findings and recommendations. Unlike automated tools which provide general fixes, a document written by a skilled penetration tester will offer specific suggestions created to remedy the particular weaknesses they uncovered during their assessment.
Even though penetration testing offers multiple advantages, there are a few caveats which business leaders need to take cognizance of before agreeing to an assessment.
The human element may be the most significant advantage of a penetration test, but it could also be its greatest weakness. As stated previously, many of the benefits of a penetration test directly correlate with the skill and experience of the individual or team conducting the exercise. Lesser experienced individuals may not have the expertise to identify rare vulnerabilities or have the ability to determine a significant risk by aligning several smaller threats.
A successful penetration test should assess an organization’s entire technology environment. Often organizations are hesitant to test their complete IT landscape due to the impact the test may have on their day-to-day operations. However, unless the test covers the entire IT infrastructure, the assessment of the organization’s risk is incomplete as it may miss specific vulnerabilities in the untested area of the environment.
Protecting your organization from cybersecurity threats requires you to take a proactive approach. Small businesses are prime targets for cyber criminals as the most recent data breach statistics have shown. Penetration testing is a proactive security process which introduces the human element needed in today’s current threat environment. It takes a holistic approach and is tailored to the unique needs of each organization. However, if you are considering completing a penetration test, ensure your tester has the requisite skills and experience, and be sure to test every facet of your organization’s IT systems and defenses.